(x) $_SERVER["PHP_SELF"]
(o) htmlspecialchars($_SERVER["PHP_SELF"])

출처
http://www.w3schools.com/php/php_form_validation.asp

$_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function.

The form code should look like this:

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

The htmlspecialchars() function converts special characters to HTML entities. Now if the user tries to exploit the PHP_SELF variable, it will result in the following output:

<form method="post" action="test_form.php/"><script>alert('hacked')</script>">

The exploit attempt fails, and no harm is done!